Remove password retrieval from podexec

Author: minjieqiu

pkg/splunk/enterprise/afwscheduler.go

@@ -179,6 +179,12 @@ var addTelApp = func(ctx context.Context, podExecClient splutil.PodExecClientImp
 	// Create pod exec client
 	crKind := cr.GetObjectKind().GroupVersionKind().Kind
 
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(ctx, podExecClient.GetClient(), podExecClient.GetTargetPodName(), cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return err
+	}
+
 	// Commands to run on pods
 	var command1, command2 string
 
@@ -188,14 +194,14 @@ var addTelApp = func(ctx context.Context, podExecClient splutil.PodExecClientImp
 		command1 = fmt.Sprintf(createTelAppNonShcString, telAppConfString, telAppDefMetaConfString)
 
 		// App reload
-		command2 = telAppReloadString
+		command2 = fmt.Sprintf(telAppReloadString, adminPwd)
 
 	} else {
 		// Create dir on pods
 		command1 = fmt.Sprintf(createTelAppShcString, shcAppsLocationOnDeployer, shcAppsLocationOnDeployer, telAppConfString, shcAppsLocationOnDeployer, telAppDefMetaConfString, shcAppsLocationOnDeployer)
 
 		// Bundle push
-		command2 = fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(cr.GetNamespace(), SplunkSearchHead, cr.GetName(), 0, false), "/tmp/status.txt")
+		command2 = fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(cr.GetNamespace(), SplunkSearchHead, cr.GetName(), 0, false), adminPwd, "/tmp/status.txt")
 	}
 
 	// Run the commands on Splunk pods
@@ -741,10 +747,16 @@ func installApp(rctx context.Context, localCtx *localScopePlaybookContext, cr sp
 		worker.appDeployInfo.AppPackageTopFolder = appTopFolder
 	}
 
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(rctx, worker.client, localCtx.podExecClient.GetTargetPodName(), cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return err
+	}
+
 	var command string
 	if worker.appDeployInfo.IsUpdate {
 		// App was already installed, update scenario
-		command = fmt.Sprintf("/opt/splunk/bin/splunk install app %s -update 1 -auth admin:`cat /mnt/splunk-secrets/password`", appPkgPathOnPod)
+		command = fmt.Sprintf("/opt/splunk/bin/splunk install app %s -update 1 -auth admin:%s", appPkgPathOnPod, adminPwd)
 	} else {
 		// install the app only if it was not already installed
 		// we can come to this block if post installation failed
@@ -763,7 +775,7 @@ func installApp(rctx context.Context, localCtx *localScopePlaybookContext, cr sp
 			return nil
 		}
 
-		command = fmt.Sprintf("/opt/splunk/bin/splunk install app %s -auth admin:`cat /mnt/splunk-secrets/password`", appPkgPathOnPod)
+		command = fmt.Sprintf("/opt/splunk/bin/splunk install app %s -auth admin:%s", appPkgPathOnPod, adminPwd)
 	}
 
 	streamOptions := splutil.NewStreamOptionsObject(command)
@@ -795,7 +807,13 @@ func isAppAlreadyInstalled(ctx context.Context, cr splcommon.MetaObject, podExec
 
 	scopedLog.Info("check app's installation state")
 
-	command := fmt.Sprintf("/opt/splunk/bin/splunk list app %s -auth admin:`cat /mnt/splunk-secrets/password`| grep ENABLED", appTopFolder)
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(ctx, podExecClient.GetClient(), podExecClient.GetTargetPodName(), cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return false, err
+	}
+
+	command := fmt.Sprintf("/opt/splunk/bin/splunk list app %s -auth admin:%s| grep ENABLED", appTopFolder, adminPwd)
 
 	streamOptions := splutil.NewStreamOptionsObject(command)
 
@@ -1736,7 +1754,12 @@ func (shcPlaybookContext *SHCPlaybookContext) triggerBundlePush(ctx context.Cont
 	shcPlaybookContext.setLivenessProbeLevel(ctx, livenessProbeLevelOne)
 
 	// Trigger bundle push
-	cmd := fmt.Sprintf(applySHCBundleCmdStr, shcPlaybookContext.searchHeadCaptainURL, shcBundlePushStatusCheckFile)
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(ctx, shcPlaybookContext.client, shcPlaybookContext.podExecClient.GetTargetPodName(), shcPlaybookContext.cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return err
+	}
+	cmd := fmt.Sprintf(applySHCBundleCmdStr, shcPlaybookContext.searchHeadCaptainURL, adminPwd, shcBundlePushStatusCheckFile)
 	scopedLog.Info("Triggering bundle push", "command", cmd)
 	streamOptions := splutil.NewStreamOptionsObject(cmd)
 	stdOut, stdErr, err := shcPlaybookContext.podExecClient.RunPodExecCommand(ctx, streamOptions, []string{"/bin/sh"})
@@ -1889,7 +1912,12 @@ func (idxcPlaybookContext *IdxcPlaybookContext) isBundlePushComplete(ctx context
 	reqLogger := log.FromContext(ctx)
 	scopedLog := reqLogger.WithName("isBundlePushComplete").WithValues("crName", idxcPlaybookContext.cr.GetName(), "namespace", idxcPlaybookContext.cr.GetNamespace())
 
-	streamOptions := splutil.NewStreamOptionsObject(idxcShowClusterBundleStatusStr)
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(ctx, idxcPlaybookContext.client, idxcPlaybookContext.podExecClient.GetTargetPodName(), idxcPlaybookContext.cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return false
+	}
+	streamOptions := splutil.NewStreamOptionsObject(fmt.Sprintf(idxcShowClusterBundleStatusStr, adminPwd))
 	stdOut, stdErr, err := idxcPlaybookContext.podExecClient.RunPodExecCommand(ctx, streamOptions, []string{"/bin/sh"})
 	if err == nil && strings.Contains(stdOut, "cluster_status=None") && !strings.Contains(stdOut, "last_bundle_validation_status=failure") {
 		scopedLog.Info("IndexerCluster Bundle push complete")
@@ -1912,7 +1940,12 @@ func (idxcPlaybookContext *IdxcPlaybookContext) triggerBundlePush(ctx context.Co
 
 	// Reduce the liveness probe level
 	idxcPlaybookContext.setLivenessProbeLevel(ctx, livenessProbeLevelOne)
-	streamOptions := splutil.NewStreamOptionsObject(applyIdxcBundleCmdStr)
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(ctx, idxcPlaybookContext.client, idxcPlaybookContext.podExecClient.GetTargetPodName(), idxcPlaybookContext.cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return err
+	}
+	streamOptions := splutil.NewStreamOptionsObject(fmt.Sprintf(applyIdxcBundleCmdStr, adminPwd))
 	stdOut, stdErr, err := idxcPlaybookContext.podExecClient.RunPodExecCommand(ctx, streamOptions, []string{"/bin/sh"})
 
 	// If the error is due to a bundle which is already present, don't do anything.
@@ -2068,12 +2101,17 @@ func handleEsappPostinstall(rctx context.Context, preCtx *premiumAppScopePlayboo
 	var command string
 
 	// Create CLI command
+	adminPwd, err := splutil.GetSpecificSecretTokenFromPod(rctx, preCtx.client, preCtx.localCtx.podExecClient.GetTargetPodName(), cr.GetNamespace(), "password")
+	if err != nil {
+		scopedLog.Error(err, "failed to retrieve admin password from pod secret")
+		return err
+	}
 	sslEn := getSslCliOption(appSrcSpec)
 	if cr.GetObjectKind().GroupVersionKind().Kind != "SearchHeadCluster" {
-		command = fmt.Sprintf("/opt/splunk/bin/splunk search '| essinstall --ssl_enablement %s' -auth admin:`cat /mnt/splunk-secrets/password`", sslEn)
+		command = fmt.Sprintf("/opt/splunk/bin/splunk search '| essinstall --ssl_enablement %s' -auth admin:%s", sslEn, adminPwd)
 	} else {
 		// Pass an extra parameter for SHC deployer in post install command
-		command = fmt.Sprintf("/opt/splunk/bin/splunk search '| essinstall --ssl_enablement %s --deployment_type shc_deployer' -auth admin:`cat /mnt/splunk-secrets/password`", sslEn)
+		command = fmt.Sprintf("/opt/splunk/bin/splunk search '| essinstall --ssl_enablement %s --deployment_type shc_deployer' -auth admin:%s", sslEn, adminPwd)
 	}
 
 	streamOptions := splutil.NewStreamOptionsObject(command)

pkg/splunk/enterprise/afwscheduler_test.go

@@ -2488,6 +2488,12 @@ func TestPodCopyWorkerHandler(t *testing.T) {
 
 func TestIDXCRunPlaybook(t *testing.T) {
 	ctx := context.TODO()
+
+	savedGetSpecificSecretTokenFromPod := splutil.GetSpecificSecretTokenFromPod
+	defer func() { splutil.GetSpecificSecretTokenFromPod = savedGetSpecificSecretTokenFromPod }()
+	splutil.GetSpecificSecretTokenFromPod = func(ctx context.Context, c splcommon.ControllerClient, podName string, namespace string, secretToken string) (string, error) {
+		return "changeme", nil
+	}
 	cr := enterpriseApi.ClusterManager{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "ClusterManager",
@@ -2542,8 +2548,8 @@ func TestIDXCRunPlaybook(t *testing.T) {
 	// now replace the pod exec client with our mock client
 	podExecCommands := []string{
 		fmt.Sprintf(cmdSetFilePermissionsToRW, idxcAppsLocationOnClusterManager),
-		applyIdxcBundleCmdStr,
-		idxcShowClusterBundleStatusStr,
+		fmt.Sprintf(applyIdxcBundleCmdStr, "changeme"),
+		fmt.Sprintf(idxcShowClusterBundleStatusStr, "changeme"),
 	}
 	mockPodExecReturnContexts := []*spltest.MockPodExecReturnContext{
 		{
@@ -2839,6 +2845,12 @@ func TestSetLivenessProbeLevelForIDXC(t *testing.T) {
 
 func TestSHCRunPlaybook(t *testing.T) {
 	ctx := context.TODO()
+
+	savedGetSpecificSecretTokenFromPod := splutil.GetSpecificSecretTokenFromPod
+	defer func() { splutil.GetSpecificSecretTokenFromPod = savedGetSpecificSecretTokenFromPod }()
+	splutil.GetSpecificSecretTokenFromPod = func(ctx context.Context, c splcommon.ControllerClient, podName string, namespace string, secretToken string) (string, error) {
+		return "changeme", nil
+	}
 	cr := &enterpriseApi.SearchHeadCluster{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "SearchHeadCluster",
@@ -4387,6 +4399,12 @@ func TestGetTelAppNameExtension(t *testing.T) {
 func TestAddTelAppCMaster(t *testing.T) {
 	ctx := context.TODO()
 
+	savedGetSpecificSecretTokenFromPod := splutil.GetSpecificSecretTokenFromPod
+	defer func() { splutil.GetSpecificSecretTokenFromPod = savedGetSpecificSecretTokenFromPod }()
+	splutil.GetSpecificSecretTokenFromPod = func(ctx context.Context, c splcommon.ControllerClient, podName string, namespace string, secretToken string) (string, error) {
+		return "changeme", nil
+	}
+
 	// Define CRs
 	cmCr := &enterpriseApiV3.ClusterMaster{
 		TypeMeta: metav1.TypeMeta{
@@ -4403,7 +4421,7 @@ func TestAddTelAppCMaster(t *testing.T) {
 	// Define mock podexec context
 	podExecCommands := []string{
 		fmt.Sprintf(createTelAppNonShcString, telAppConfString, telAppDefMetaConfString),
-		telAppReloadString,
+		fmt.Sprintf(telAppReloadString, "changeme"),
 	}
 
 	mockPodExecReturnContexts := []*spltest.MockPodExecReturnContext{
@@ -4427,7 +4445,7 @@ func TestAddTelAppCMaster(t *testing.T) {
 	// Test shc
 	podExecCommands = []string{
 		fmt.Sprintf(createTelAppShcString, shcAppsLocationOnDeployer, shcAppsLocationOnDeployer, telAppConfString, shcAppsLocationOnDeployer, telAppDefMetaConfString, shcAppsLocationOnDeployer),
-		fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(shcCr.GetNamespace(), SplunkSearchHead, shcCr.GetName(), 0, false), "/tmp/status.txt"),
+		fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(shcCr.GetNamespace(), SplunkSearchHead, shcCr.GetName(), 0, false), "changeme", "/tmp/status.txt"),
 	}
 
 	mockPodExecClient.AddMockPodExecReturnContexts(ctx, podExecCommands, mockPodExecReturnContexts...)
@@ -4500,6 +4518,12 @@ func TestAddTelAppCMaster(t *testing.T) {
 func TestAddTelAppCManager(t *testing.T) {
 	ctx := context.TODO()
 
+	savedGetSpecificSecretTokenFromPod := splutil.GetSpecificSecretTokenFromPod
+	defer func() { splutil.GetSpecificSecretTokenFromPod = savedGetSpecificSecretTokenFromPod }()
+	splutil.GetSpecificSecretTokenFromPod = func(ctx context.Context, c splcommon.ControllerClient, podName string, namespace string, secretToken string) (string, error) {
+		return "changeme", nil
+	}
+
 	// Define CRs
 	cmCr := &enterpriseApi.ClusterManager{
 		TypeMeta: metav1.TypeMeta{
@@ -4516,7 +4540,7 @@ func TestAddTelAppCManager(t *testing.T) {
 	// Define mock podexec context
 	podExecCommands := []string{
 		fmt.Sprintf(createTelAppNonShcString, telAppConfString, telAppDefMetaConfString),
-		telAppReloadString,
+		fmt.Sprintf(telAppReloadString, "changeme"),
 	}
 
 	mockPodExecReturnContexts := []*spltest.MockPodExecReturnContext{
@@ -4540,7 +4564,7 @@ func TestAddTelAppCManager(t *testing.T) {
 	// Test shc
 	podExecCommands = []string{
 		fmt.Sprintf(createTelAppShcString, shcAppsLocationOnDeployer, shcAppsLocationOnDeployer, telAppConfString, shcAppsLocationOnDeployer, telAppDefMetaConfString, shcAppsLocationOnDeployer),
-		fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(shcCr.GetNamespace(), SplunkSearchHead, shcCr.GetName(), 0, false), "/tmp/status.txt"),
+		fmt.Sprintf(applySHCBundleCmdStr, GetSplunkStatefulsetURL(shcCr.GetNamespace(), SplunkSearchHead, shcCr.GetName(), 0, false), "changeme", "/tmp/status.txt"),
 	}
 
 	mockPodExecClient.AddMockPodExecReturnContexts(ctx, podExecCommands, mockPodExecReturnContexts...)
@@ -4696,6 +4720,12 @@ func TestIsAppAlreadyInstalled(t *testing.T) {
 		},
 	}
 
+	savedGetSpecificSecretTokenFromPod := splutil.GetSpecificSecretTokenFromPod
+	defer func() { splutil.GetSpecificSecretTokenFromPod = savedGetSpecificSecretTokenFromPod }()
+	splutil.GetSpecificSecretTokenFromPod = func(ctx context.Context, c splcommon.ControllerClient, podName string, namespace string, secretToken string) (string, error) {
+		return "changeme", nil
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create a test CR
@@ -4718,7 +4748,7 @@ func TestIsAppAlreadyInstalled(t *testing.T) {
 			}
 
 			// Add the mock command and return context - use the exact command pattern
-			command := "/opt/splunk/bin/splunk list app testapp -auth admin:`cat /mnt/splunk-secrets/password`| grep ENABLED"
+			command := "/opt/splunk/bin/splunk list app testapp -auth admin:changeme| grep ENABLED"
 			mockPodExecClient.AddMockPodExecReturnContexts(ctx, []string{command}, mockReturnContext)
 
 			// Call the function

pkg/splunk/enterprise/names.go

@@ -106,15 +106,15 @@ const (
 
 	manualAppUpdateCMStr = "splunk-%s-manual-app-update"
 
-	applySHCBundleCmdStr = "/opt/splunk/bin/splunk apply shcluster-bundle -target https://%s:8089 -auth admin:`cat /mnt/splunk-secrets/password` --answer-yes -push-default-apps true &> %s &"
+	applySHCBundleCmdStr = "/opt/splunk/bin/splunk apply shcluster-bundle -target https://%s:8089 -auth admin:%s --answer-yes -push-default-apps true &> %s &"
 
 	shcBundlePushCompleteStr = "Bundle has been pushed successfully to all the cluster members.\n"
 
 	shcBundlePushStatusCheckFile = "/operator-staging/appframework/.shcluster_bundle_status.txt"
 
-	applyIdxcBundleCmdStr = "/opt/splunk/bin/splunk apply cluster-bundle -auth admin:`cat /mnt/splunk-secrets/password` --skip-validation --answer-yes"
+	applyIdxcBundleCmdStr = "/opt/splunk/bin/splunk apply cluster-bundle -auth admin:%s --skip-validation --answer-yes"
 
-	idxcShowClusterBundleStatusStr = "/opt/splunk/bin/splunk show cluster-bundle-status -auth admin:`cat /mnt/splunk-secrets/password`"
+	idxcShowClusterBundleStatusStr = "/opt/splunk/bin/splunk show cluster-bundle-status -auth admin:%s"
 
 	idxcBundleAlreadyPresentStr = "No new bundle will be pushed. The cluster manager and peers already have this bundle"
 
@@ -207,7 +207,7 @@ access = read : [ * ], write : [ admin ]
 	createTelAppShcString = "mkdir -p %s/app_tel_for_sok/default/; mkdir -p %s/app_tel_for_sok/metadata/; printf '%%s' \"%s\" > %s/app_tel_for_sok/default/app.conf; printf '%%s' \"%s\" > %s/app_tel_for_sok/metadata/default.meta"
 
 	// Command to reload app configuration
-	telAppReloadString = "curl -k -u admin:`cat /mnt/splunk-secrets/password` https://localhost:8089/services/apps/local/_reload"
+	telAppReloadString = "curl -k -u admin:%s https://localhost:8089/services/apps/local/_reload"
 
 	// Name of the telemetry configmap: <namePrefix>-manager-telemetry
 	telConfigMapTemplateStr = "%smanager-telemetry"

pkg/splunk/test/util.go

@@ -179,3 +179,8 @@ func (client *MockPodExecClient) SetTargetPodName(ctx context.Context, targetPod
 func (client *MockPodExecClient) GetTargetPodName() string {
 	return client.TargetPodName
 }
+
+// GetClient returns the ControllerClient from MockPodExecClient
+func (client *MockPodExecClient) GetClient() splcommon.ControllerClient {
+	return client.Client
+}

pkg/splunk/util/util.go

@@ -256,6 +256,7 @@ type PodExecClientImpl interface {
 	GetTargetPodName() string
 	GetCR() splcommon.MetaObject
 	SetCR(splcommon.MetaObject)
+	GetClient() splcommon.ControllerClient
 }
 
 // blank assignment to implement PodExecClientImpl
@@ -332,6 +333,11 @@ func (podExecClient *PodExecClient) SetCR(cr splcommon.MetaObject) {
 	podExecClient.cr = cr
 }
 
+// GetClient returns the ControllerClient from the PodExecClient
+func (podExecClient *PodExecClient) GetClient() splcommon.ControllerClient {
+	return podExecClient.client
+}
+
 // NewStreamOptionsObject return a new streamoptions object for the given command
 func NewStreamOptionsObject(command string) *remotecommand.StreamOptions {
 	return &remotecommand.StreamOptions{